Information Disclosure Vulnerability in Microsoft Outlook Web Access for Exchange Server 5.5
A vulnerability exists in Microsoft OWA for Exchange Server 5.5. An attacker can make unauthorized or unauthenticated requests to reveal information (e.g., email aliases and addresses) stored in the Global Address List (GAL).
September 9, 2001
Reported September 7, 2001, byMicrosoft.
VERSION AFFECTED
· Microsoft Outlook Web Access (OWA) for Exchange Server 5.5
DESCRIPTION
Avulnerability exists in Microsoft OWA for Exchange Server 5.5. An attacker canmake unauthorized or unauthenticated requests to reveal information (e.g., emailaliases and addresses) stored in the Global Address List (GAL). Thisvulnerability results because a function in OWA that interrogates the GALdoesn't require authentication. Unauthenticated users can call the function andenumerate the mail addresses of users on the server.
VENDOR RESPONSE
Thevendor, Microsoft, has released securitybulletin MS01-047to address this vulnerability and recommends that affected users apply the patchthe vender provides.
CREDIT
Discoveredby NoamRathaus of SecuriTeam.
Read more about:
MicrosoftAbout the Author
You May Also Like